WebApp Sec mailing list archives
Re: Why doesn't Amazon enforce a password policy?
From: Gunnar Rene Øie <gunnarre () nvg ntnu no>
Date: Wed, 1 Nov 2006 13:10:13 +0100 (CET)
On Fri, 27 Oct 2006, Jeff Robertson wrote:
Well then I take back what I said.. I must be mixing them up with a different site.
Excuse me, but no, you should not take that back.Amazon *does* force you to re-enter you credit card number every time you add a new recipient address. And the only part of the credit card number that is shown to a logged on user is the last 4 digits, so that the user can recognize the different cards. If you get into a cracked account, all you get access to is
- ordering products and having them sent to one of the addresses that the user has used before - not very profitable, unless the identity thief is the usual family member or colleague. But if you're John Q. Cracker running around on the internet, you can't get any product.
- previous order history - whish list if it was not public before - previous addresses - last digits of credit card numbers- making mayhem by submitting spam/insane reviews, but these are moderated anyway
So a randomly cracked account can't give any direct material benifit to a cracker. They are only useful for learning something about the user or to annoy them by having them receive product that they didn't order. In any case, that product can be returned and Amazon doesn't lose any money (unless they refund the shipping to be kind to the customer).
As said by others here: You need to do a risk analysis and return-on-investment calculation based on YOUR situation. If you're selling goods in the same way as Amazon, then do it like Amazon, i.e. the user is responsible for protecting his/her own information, but anything of value to your company is not sent out without a re-confirmation of the credit card number. If your bread and butter is the secrecy of information IN the system then Amazon is not a good comparison.
Finding examples of companies that require a certain password length and strength is easy. You can probably find a competitor in your field who does it.
-- Regards , Vennlig hilsen Gunnar René Øie, MSc. IDI/NTNU PGP public key available -- Regards , Vennlig hilsen Gunnar René Øie, MSc. IDI/NTNU PGP public key available ------------------------------------------------------------------------- Sponsored by: WatchfireAppScan delivers new remediation capabilities, key regulatory compliance reporting, and productivity enhancements that dramatically improve, automate and streamline users' ability to quickly find, remediate and manage web application security vulnerabilities. Change the way you think about application security testing - download AppScan today!
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTE --------------------------------------------------------------------------
Current thread:
- Why doesn't Amazon enforce a password policy? James Strassburg (Oct 27)
- Re: Why doesn't Amazon enforce a password policy? Peter Conrad (Oct 30)
- Re: Why doesn't Amazon enforce a password policy? Tom Whiting (Nov 01)
- Re: Why doesn't Amazon enforce a password policy? Jeff Robertson (Nov 01)
- Re: Why doesn't Amazon enforce a password policy? Jamie Riden (Nov 01)
- <Possible follow-ups>
- RE: Why doesn't Amazon enforce a password policy? James Strassburg (Nov 01)
- Re: Why doesn't Amazon enforce a password policy? Jeff Robertson (Nov 01)
- Re: Why doesn't Amazon enforce a password policy? Gunnar Rene Øie (Nov 01)
- Re: Why doesn't Amazon enforce a password policy? Gunnar Rene Øie (Nov 01)
- Re: Why doesn't Amazon enforce a password policy? Jeff Robertson (Nov 01)
- RE: Why doesn't Amazon enforce a password policy? Brooks, Shane (Nov 01)
- RE: Why doesn't Amazon enforce a password policy? Jason Gregson (Nov 01)